Implement A2A Server

Creates a compliant A2A server for managing JSON-RPC 2.0 requests and task lifecycles, enabling multi-agent workflows.

Install this skill

or

18/100

Security score

The Implement A2A Server skill was audited on Mar 3, 2026 and we found 18 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 98

Template literal with variable interpolation in command context

SourceSKILL.md

98	error: { code: -32601, message: `Method not found: ${request.method}` },

medium line 242

Template literal with variable interpolation in command context

SourceSKILL.md

242	error: { code: -32001, message: `Task not found: ${taskId}` },

medium line 337

Template literal with variable interpolation in command context

SourceSKILL.md

337	res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);

medium line 413

Curl to non-GitHub URL

SourceSKILL.md

413	curl -s http://localhost:3000/.well-known/agent.json \| python3 -m json.tool

medium line 416

Curl to non-GitHub URL

SourceSKILL.md

416	curl -X POST http://localhost:3000/ \

medium line 38

Webhook reference - potential data exfiltration

SourceSKILL.md

38	- Optional: Push notification webhook support (`true` or `false`)

medium line 370

Webhook reference - potential data exfiltration

SourceSKILL.md

370	### Step 5: Add Push Notification Webhook Support

medium line 372

Webhook reference - potential data exfiltration

SourceSKILL.md

372	5.1. If `pushNotifications` is enabled in the Agent Card, implement webhook registration via `tasks/pushNotification/set`:

medium line 374

Webhook reference - potential data exfiltration

SourceSKILL.md

374	- Validate the webhook URL uses HTTPS; reject with error code `-32004` otherwise

medium line 377

Webhook reference - potential data exfiltration

SourceSKILL.md

377	5.2. Send webhook callbacks on task state changes:

medium line 379

Webhook reference - potential data exfiltration

SourceSKILL.md

379	- POST a JSON payload with `taskId`, `eventType`, `status`, and `timestamp` to the webhook URL

medium line 382

Webhook reference - potential data exfiltration

SourceSKILL.md

382	5.3. Implement retry logic for failed webhooks (exponential backoff, max 3 retries).

medium line 386

Webhook reference - potential data exfiltration

SourceSKILL.md

386	Expected: Webhook registration and delivery with retry logic.

medium line 388

Webhook reference - potential data exfiltration

SourceSKILL.md

388	On failure: Push notification failures must never affect task execution. Log errors and continue. If the webhook URL is persistently unreachable, remove the subscription after max retries.

medium line 395

Webhook reference - potential data exfiltration

SourceSKILL.md

395	- Throw at startup if the card advertises `pushNotifications: true` but webhooks are not enabled

medium line 432

Webhook reference - potential data exfiltration

SourceSKILL.md

432	- [ ] Push notifications deliver webhooks on state changes (if enabled)

low line 413

External URL reference

SourceSKILL.md

413	curl -s http://localhost:3000/.well-known/agent.json \| python3 -m json.tool

low line 416

External URL reference

SourceSKILL.md

416	curl -X POST http://localhost:3000/ \

Scanned on Mar 3, 2026

View Security Dashboard

Installation guide →

GitHub Stars 2

Rate this skill

Categorydevelopment

UpdatedMay 21, 2026

openclaw backend api backend-developer ml-ai-engineer product-manager development product

pjt222/agent-almanac